I'm experimenting with an instance of Glassfish v4.1 installed in a VM trying to make mutal authentication work. Everything goes like a charm, except the CRL (certificate revocation list) part. I've searched through the whole Internet, but it seems nobody knows about managing CRL's in Glassfish v4.1. The only sites I found were this and this. The first one refers to Glassfish v2/v3. None of them works.
Does anyone know if Glassfish v4.1 allows the implementation of CRL through a static file, like the article at the first link suggests? If so, how can I achieve it?
I finally found out how to make it work. The first link I gave in my question pointed in the good direction, but it had an error. Actually, the property "crlFile" doesn't exist, at least not in Glassfish v3.0.1 ([Oracle GlassFish Server 3.0.1 Domain File Format Reference]). The right name is "crl-file" and it's an atribute of the element ssl.
<ssl crl-file="config/crl.pem" .... />
If you define this attribute, Glassfish enables the CRL checking, looking for the revoked certificates in the specified file. The solution is also valid for Glassfish v4.1.
I wish this may help someone at some moment.
Related
I have installed ejabberd on a vm and i successfully made accounts and accessed the admin panel. I have tried to get https enabled via lets encrypt but i havent managed to get it running. After checking the docs, google as well as the forum here i still didnt find a useful description to get this done.
thanks in advance for any further information on that note.
There are a pair of paragraphs regarding Let’s Encrypt SSL certificates in this tutorial: https://www.process-one.net/blog/how-to-move-the-office-to-real-time-im-on-ejabberd/
Once you have setup the certificates, you can enable the tls option in several listeners, like ejabberd_c2s, and probably you want to enable in ejabberd_http too. See the first example here, concretely the configuration of port 5281:
https://docs.ejabberd.im/admin/configuration/listen/#examples
First let me state that I am a Linux noob. I am learning as I go here. Here is my situation. I have an Ubuntu 16lts server, with apache. The software we just installed comes with "samples" These samples are stored in the same directory structure as the program. The instructions have you add an alias and a directory to the apache2 config file. Like so
Alias /pccis_sample /usr/share/prizm/Samples/php
This actually worked :)
However now we want to make sure this site is SSL. I did manage to use openssl to import to Ubuntu the certificates we wanted to use. (i am open to using self signed though at this point its non prod so i dont care)
In trying to find out the right way to tell Apache i want to use SSL for this directory and which cert i want to use. Things went wonky on me. I did manage to get it to use ssl but with browser warning as one would epexct with a self signed cert. I had thought that i could just install the cert on our devs machines and that would go away. But no dice. Now in trying to fix all that i just done broke it. SOOOO What I am looking for is not neccessarily and spoon fed answer but rather any good tools, scripts, articles tips tricks gotchas that i can use to get this sucker done.
Thanks
You need to import your certificate(s) into the browsers trusted store. For each browser on each machine you test with. "What a pain!" you probably think. You are right.
Make it less painful - go through it once. Create your own Certificate Authority, and add that to your browsers trusted certificates/issuers listing. This way, you modify each one once, but then any certificate created by your CA certificate's key will be considered valid by those clients.
https://deliciousbrains.com/ssl-certificate-authority-for-local-https-development/
Note that when configuring Apache or other services, they will still need an issued/signed certificate that corresponds correctly to the hostname that is being used to address them.
Words of warning - consider these to be big, red, bold, and blinking.
DO NOT take the lazy way and do a wildcard, etc. DO keep your key and passphrase under strict control. Remember - your clients will implicitly trust any certificate signed by this key, so it is possible for someone to use the key and create certificates for other domains and effectively MITM the clients.
In looking to provide a self-hosted ServiceStack backend to a single-page app, I want to require SSL.
I've seen the answers related to configuring the server with the certificate using httpcfg/netsh, but I'd like to not have that configuration step if possible.
I found this answer, but it doesn't compile.
The PrivateKey class is missing. Of course, I'm assuming PrivateKey.Save(...) does something similar to what httpcfg/netsh does during the manual configuration. My question is, is this 'no configuration' approach with SSL on HttpListener possible? Is that previously linked answer even possible? If so, where does PrivateKey come from?
I've spent the better part of this afternoon trying to figure out how to implement SSL/TLS support directly in the Play Framework 2.1 web server without having to use a front end proxy, to no avail. I have all of my certificates signed by a CA and I'm told Play 2.1 supports SSL, but am lost on the configuration options to use in application.conf to set this up. There doesn't appear to be a clear answer out there in the documentation.
Couple questions:
Do I HAVE to convert my .crt and .key files to a .jks file (Java keystore) or can I use them as-is?
If I have to import to the Java keystore, can someone provide some insight into how this is done? I have seen a lot of conflicting documentation on this.
What are the configuration options in the Play Framework 2.1.x application.conf to set this up?
As I stated before, I could not find any clear answers after a couple hours of Googling, so I figured I better ask here. Also, I want to reiterate - I DO NOT want to use a front-end web server like Apache for specific reasons, so I am looking ONLY to set up SSL/TLS support directly in Play.
EDIT:
I have found this thread: http://grokbase.com/t/gg/play-framework/1326s1ttny/2-1-ssl but I can't get any of it to work still. Not sure if I'm created the JKS file correctly by combining all of my bundled CRT files AND the private key into a single file then importing and I'm not sure what I should use for the "path to keystore".
I have two "Web Sites" running under IIS6 (Windows Server 2003R2 Standard), each bound to a separate IP address (one is the base address of the server).
I used SelfSSL to generate and install an SSL certificate for development purposes on one of these sites and it works great. I then run SelfSSL to generate a certificate for the second site and the second site works, but now the first site is broken over SSL.
I run SSL Diagnostics and it tells me:
WARNING: You have a private key that corresponds to this certificate but CryptAcquireCertificatePrivateKey failed
If I re-run SelfSSL on the first site (to fix it), the first site works but then the second site is broken.
It seems like SelfSSL is doing something in a way that is designed to work with only one Website, but I can't seem to put my finger on exactly what it's doing and figure out how to suppress it. I would manually configure SSL but I don't have a certificate server handy, but maybe there is a way to get SelfSSL to just gen the cert and let me install it?
FWIW I have also followed the guidance of several posts that indicate changes to the permissions of the RSA directory are in order, etc. but to no avail. I don't work with SSL everyday so I may be overlooking something that someone with more experience might notice, or perhaps there is a diagnostic process that I could follow to get to the bottom of the issue?
We had a similar problem today. Our IT guy said he solved it by basically using ssldiag instead of selfssl to generate the certs.
See the reply from jayb123 at this URL: http://social.msdn.microsoft.com/forums/en-US/netfxnetcom/thread/15d22105-f432-4d8f-a57a-40941e0879e7
I have to admit I don't fully understand what happened, but I'm on the programming side rather than the network admin side.